CVE-2023-4822

grafana: incorrect assessment of permissions across organizations

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations.

It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally.

This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user.

The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.

Grafana es una plataforma de código abierto para monitorización y observabilidad. La vulnerabilidad afecta las instancias de Grafana con varias organizaciones y permite a un usuario con permisos de Organization Admin en una organización cambiar los permisos asociados con los roles de Organization Viewer, Organization Editor and Organization Admin en todas las organizaciones. También permite que un Organization Admin asigne o revoque cualquier permiso que tenga para cualquier usuario a nivel mundial. Esto significa que cualquier Organization Admin puede elevar sus propios permisos en cualquier organización de la que ya sea miembro, y elevar o restringir los permisos de cualquier otro usuario. La vulnerabilidad no permite que un usuario se convierta en miembro de una organización de la que aún no es miembro, ni agregue otros usuarios a una organización de la que el usuario actual no es miembro.

A flaw was found in the Grafana enterprise package. Grafana is incorrectly assessing permissions to update global roles and role assignments, therefore, users with administrator permissions in one organization can change global role permissions and global role assignments. After successful exploitation, an attacker who has the Organization Admin role in any organization can elevate their permissions across all organizations, elevate other users’ permissions in all organizations, or limit other users’ permissions in all organizations.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-09-07 CVE Reserved
2023-10-16 CVE Published
2024-09-16 CVE Updated
2024-10-22 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-269: Improper Privilege Management

CAPEC

CAPEC-233: Privilege Escalation

References (4)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20231103-0008

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://grafana.com/security/security-advisories/cve-2023-4822	2023-11-04
https://access.redhat.com/security/cve/CVE-2023-4822	2024-06-14
https://bugzilla.redhat.com/show_bug.cgi?id=2239726	2024-06-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Grafana Search vendor "Grafana"		Grafana Search vendor "Grafana" for product "Grafana"				>= 8.0.0 < 9.4.16 Search vendor "Grafana" for product "Grafana" and version " >= 8.0.0 < 9.4.16"		enterprise		Affected
Grafana Search vendor "Grafana"		Grafana Search vendor "Grafana" for product "Grafana"				>= 9.5.0 < 9.5.11 Search vendor "Grafana" for product "Grafana" and version " >= 9.5.0 < 9.5.11"		enterprise		Affected
Grafana Search vendor "Grafana"		Grafana Search vendor "Grafana" for product "Grafana"				>= 10.0.0 < 10.0.7 Search vendor "Grafana" for product "Grafana" and version " >= 10.0.0 < 10.0.7"		enterprise		Affected
Grafana Search vendor "Grafana"		Grafana Search vendor "Grafana" for product "Grafana"				>= 10.1.0 < 10.1.3 Search vendor "Grafana" for product "Grafana" and version " >= 10.1.0 < 10.1.3"		enterprise		Affected